Where Is a Transfer? Datatilsynet Says Almost Everywhere!

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Let’s say you are an EU company. You engage a processor. Data is processed in the EU. There is no transfer.

But in the processor-sub-processor data processing agreement, the data processor reserves the right to disclose personal data based on decisions by public authorities — including third countries. Is this a Schrems II Chapter V GDPR transfer? Datatilsynet says yes.

Some key points:

You have to comply with the requirements of Chapter V for the transfer. Even if this is pursuant to a court order, that won’t necessarily save you or provide you with a valid legal basis for the transfer because under Article 48 GDPR, transfer pursuant to a judgment can only be recognized or enforced if it is based on an international agreement (such as a treaty on mutual legal assistance between the requesting third country and the EU or a Member State) without prejudice to other grounds for transfer under Chapter V of the Data Protection Regulation. (Reminder: the UK left Article 48 behind.) Feel free to refer to the joint opinion of the European Supervisory Board and the European Data Protection Board of 10 July 2019 Parliament’s LIBE Committee. The opinion describes the legal conditions for the transfer of personal data based on requests to the United States under the US CLOUD Act. You must ensure that your data processor ensures adequate guarantees that the rules of GDPR are complied with (so have them say it in your Article 28 agreement). Ensure the necessary processing

Read more

Explore the site

More from the blog

Latest News